Access your network remotely via a jump sever, SSH forwarding and SSH chains.
Recently I wrote about how to configure a jump server in a secure manner. But now how do we use it effectively to access devices inside the network?
Securing remote access with a Jumpserver in 10 steps
Secure Remote access for IoT
davewpark.medium.com
While we can SSH to the jump server and then SSH to other devices in the network, this is not always the most convenient way to access the devices. Especially as some IoT devices provide nice integrated web pages to display statistics, configure them etc.
On our jump server we installed a full Desktop so we could access this via SSH and we can then use that UI to access other devices via a browser. However that means that we expose those web pages to anyone who has gained access within the network. We have a more secure method available to us which is to restrict access to those web pages to localhost only and use SSH forwarding to access them via SSH. In this article we’ll examine the methods used for this.
Simple Example
First lets look a a very simple example of SSH forwarding to explore the principles. All of the other more useful examples are extensions of this.
The basic principle here is that an SSH client can listen on a local port, and forward requests on that port to a destination address via the remote SSH server. We use the -L option to enable this. SSH is a very flexible protocol and ones of its primary uses is to forward tcp/ip ports securely through the tunnel.
ssh -L localhost:portonlocalhost:remotehost:portonremotehost user@remoteSSHserverIPWe can skip the initial local host as that is the default, so an example might look like this:
ssh -L 5900:remotehost:5900 admin2@jumpserverIPLets turn this into something practical. We’ll use VNC to connect to a VNC server on the jump server and access its Desktop:
Note that we configured a firewall on that server limiting connections to SSH, so that Desktop cannot be accessed locally, it can only be accessed on localhost.
Remote Forwarding
Ok, that example was not very useful as it is in a local network, but it established the principle. So now lets look at what we need to do to attach to a remote jump server via the forwarded WAN port
Now we have something useful as we can access a desktop on the jump server and from there navigate to any internal pages available in the remote network.
Here are the code snippets:
ssh -L portonlocal:remotelocalhost2:portonlocalhost2 user2@remoteIPWAN -p forwardedportssh -L 6000:localhost:5900 admin2@203.0.113.74 –p 30000
Creating a chain
But we have secured all the devices with ufw/iptables to only allow SSH so we cannot access their webpages. We need to get on each device and access the webpages via localhost. Of course we could do directly that from the jump host, but we can also so this using SSH chaining.
Here is a local example.
One thing we need to do here is enable the new SSH connection from the jump server to the next host. We do this with the -t option which enables a terminal session to run. The allows the chain to be formed by running the ongoing SSH commands.
Here are the code snippets:
ssh -t -L portonlocal:remotelocalhost2:portonlocalhost2 user2@remoteIP2 ssh -L portonlocalhost2:remotelocalhost3:portonlocalhost3 user3@remoteIP3ssh -t -L 7000:localhost:6000 admin2@192.0.2.100 ssh -L 6000:localhost:5900 admin3@192.0.2.200
Remote forwarding in a chain
And now for the most useful example, with the jump server remote and used to securely access the desktops on the hosts and devices in the local network via an SSH chain.
and as ever the code snippets:
ssh -t -L portonlocal:remotelocalhost2:portonlocalhost2 user2@remoteIPWAN -p forwardedport ssh -L portonlocalhost2:remotelocalhost3:portonlocalhost3 user3@remoteIP3ssh -t -L 7000:localhost:6000 admin2@203.0.113.74 –p 30000 ssh -L 6000:localhost:5900 admin3@192.0.2.200
So now we have used SSH tunneling and SSH chains together with a port forward to securely access our remote devices.
It should be noted that this is a very powerful tool and without care can be a security risk. You should not be using this to access your corporate network.
Instead this tool is very convenient if you need remote access to particular secured network segment via a secure jump server.
I will note that I did not use remote forwarding as I wanted to keep the security tighter and not allow the server to tunnel out. I also did not use the -J option, that’s something for a future article.
If you found this useful please follow me as it will encourage me to keep contributing. And feel free to subscribe.
